United States Joins the APEC Cross Border Privacy Rules System | White & Case LLP International Law Firm, Global Law Practice
United States Joins the APEC Cross Border Privacy Rules System

United States Joins the APEC Cross Border Privacy Rules System

White & Case Technology Newsflash

On June 26, 2012 the U.S. Department of Commerce announced the United States' participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules ("CBPR") System.[1] The United States is the first non-Asian-Pacific country to join the organization. Now, businesses in the United States may voluntarily comply with the CBPR System and engage in data sharing with Member Economies in APEC, without additional data privacy protection hurdles.[2] The CBPR System is entirely voluntary and does not affect Federal or State laws; thus, organizations in the United States must still comply with relevant Federal and State statutes. The CBPR System, rather, supplements data privacy protections for organizations in the United States that do business in or share information with APEC member economies.[3]

On July 26, 2012, Acting U.S. Secretary of Commerce Rebecca Blank stated that "This system will enable participating companies in the United States and other APEC member economies to more efficiently exchange data in a secure manner and will enhance consumer data privacy by establishing a consistent level of protection and accountability in the APEC region."[4]

APEC was founded in 1989, and is an inter-governmental group, which promotes non-binding commitments to increase economic growth in the Asia Pacific region.[5] APEC Member Economies represent more than 50% of the world's GDP. APEC members include Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States and Vietnam.[6]

The CBPR System was developed by APEC with assistance from the Federal Trade Commission and the Department of Commerce, as a voluntary, certification-based system.[7] The CBPR System provides a minimum level of data privacy practices for companies doing business in participating APEC Member Economies.[8] The CBPR System aims to ensure information privacy protection, increase the free flow of information in the Asia Pacific region, and improve customer confidence while growing electronic commerce.[9]

The CBPR System consists of four elements: (1) Self-Assessment, (2) Compliance Review, (3) Recognition/Acceptance and (4) Dispute Resolution and Enforcement.[10] In order to comply with the CBPR System, organizations must first conduct a Self-Assessment of their data privacy policies, in comparison with the APEC Privacy Framework. This is done with an APEC-recognized questionnaire.[11] The completed questionnaire and any associated documents are then submitted to an APEC-recognized Accountability Agent to review. The Agent then conducts the Compliance review, to ensure that the organization does not fall below the minimum CBPR program requirements.[12] If compliant, APEC will certify the organization, and the organization will be eligible for Recognition/Acceptance.[13] Under this third element, the organization's business details will be published in an APEC-hosted website for consumers and stakeholders to reference.[14] Finally, Enforcement and Dispute Resolution is administered through the Cross-Border Privacy Enforcement Authority.[15] In the United States, enforcement will be handled by the Federal Trade Commission; the FTC was also approved as the CBPR System's first enforcement authority.[16]

Consumer data privacy and protection continue to be an active area of the law, both domestically and internationally. As the economy becomes more globalized, the trend is towards harmonizing data privacy standards to increase efficiency and consistency in the global economy. To keep ahead of such changes, companies should regularly assess their privacy policies and data handling protocols in light of recent prosed legislation and international cooperative agreements, and ensure that they comply with the minimum standards established.

 

[1] Acting U.S. Commerce Secretary Rebecca Blank Announces U.S. Participation in APEC’s Cross Border Privacy Rules System, U.S. Department of Commerce (July 26, 2012), commerce.gov/news/press-releases/2012/07/26/acting-us-commerce-secretary-rebecca-blank-announces-us-participation
[2] APEC Cross-Border Privacy Rules System Goes Public, Issued by the APEC Electronic Steering Group, (July 31, 2012), apec.org/Press/News-Releases/2012/0731_cbpr.aspx
[3] apec.org/Home/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
[4] Acting U.S. Commerce Secretary Rebecca Blank Announces U.S. Participation in APEC’s Cross Border Privacy Rules System, U.S. Department of Commerce (July 26, 2012), commerce.gov/news/press-releases/2012/07/26/acting-us-commerce-secretary-rebecca-blank-announces-us-participation
[5] About APEC, apec.org/About-Us/About-APEC.aspx
[6] Id. See also, FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other Economies in the Asia-Pacific Region, Federal Trade Commission (Nov. 14, 2011), ftc.gov/opa/2011/11/apec.shtm
[7] FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other Economies in the Asia-Pacific Region, Federal Trade Commission (Nov. 14, 2011), ftc.gov/opa/2011/11/apec.shtm
[8] Apex Cross-Border Privacy Rules System Goes Public, Issued by the APEC Electronic Commerce Steering Group (July 31, 2012), apec.org/Press/News-Releases/2012/0731_cbpr.aspx
[9] APEC Cross-Border Privacy Enforcement Agency (CPEA), APEC Fact Sheet, apec.org/Press/News-Releases/2010/~/link.aspx?_id=4DD8AD0C197840FEA14C40592533AF0F&_z=z
[10] apec.org/Home/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
[11] APEC Cross-Border Privacy Rules System, Policies Rules and Guidelines, apec.org/Home/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
[12] Id. See also, APEC Cross-Border Privacy Rules System Program Requirements, apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-ProgramRequirements.ashx
[13] APEC Cross-Border Privacy Rules System, Policies Rules and Guidelines, apec.org/Home/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
[14] Id.
[15] Id. See also, APEC Cross-Border Privacy Enforcement Arrangement, Fact Sheet, apec.org/Press/News-Releases/2010/~/link.aspx?_id=4DD8AD0C197840FEA14C40592533AF0F&_z=z
[16] FTC Becomes First Enforcement Authority in APEC Cross-Border Privacy Rules System, Federal Trade Commission, (July 26, 2012), ftc.gov/opa/2012/07/apec.shtm

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2012 White & Case LLP